Data Processing Agreement

This Apturio Data Processing Agreement and its Annexes ("DPA") is incorporated into and forms part of the Apturio Customer Terms of Service between you and us (the "Agreement"). This DPA reflects the parties' agreement with respect to (i) the Processing of Customer Personal Data by us as a Processor or Service Provider on your behalf, and (ii) the Processing of Controller Personal Data by each party as a Controller in connection with our enrichment products and your use of the Apturio tracking code

For Customers established in Quebec, carrying on business in Quebec, or Processing Personal Data of individuals located in Quebec, this DPA also reflects the parties' allocation of responsibilities under Quebec Privacy Law. To the extent that Apturio Processes

Personal Data on behalf of Customer, Customer remains responsible for determining the purposes and means of Processing, providing legally required notices, obtaining legally required consents, and ensuring that its Instructions to Apturio comply with applicable law. Apturio will Process Customer Personal Data only in accordance with Customer's lawful Instructions, the Agreement, this DPA, and applicable Data Protection Laws.

In case of any conflict or inconsistency with other terms included in the Agreement, this DPA will take precedence to the extent of such conflict or inconsistency with respect to Processing of Personal Data. Where a mandatory provision of applicable Data Protection Laws, including Quebec Privacy Law, provides individuals with rights or imposes obligations that cannot be waived or limited by contract, that mandatory provision will prevail.

The Controller-to-Processor terms apply solely to the extent that Apturio is a Processor of Customer Personal Data in connection with the Subscription Services.

The Controller-to-Controller terms apply solely to the extent that Customer uses our enrichment products or the Apturio Tracking Code with Intent data sharing enabled, and each party is considered a Controller under Data Protection Laws.

We update these terms from time to time. If you have an active Apturio subscription, we will let you know when we do through an in-app notice or via email. Changes that materially reduce privacy protections for Customer Personal Data will not apply retroactively to Customer Personal Data already Processed unless required by law, agreed by Customer, or necessary to maintain the security or legal operation of the Subscription Services.

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

1. DEFINITIONS

"Affiliate" has the meaning given in the Agreement.

"California Personal Information" means Customer Personal Data that is subject to the protection of the CCPA.

"CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or "CPRA").

"Commission" or "CAI" means the Commission d'accès à l'information du Québec.

"Confidentiality Incident" means access, use, communication, loss, or other compromise of Personal Data not authorized by law, including any incident that constitutes a confidentiality incident under Quebec Privacy Law.

"Consumer," "Business," "Sell," "Service Provider," and "Share" will have the meanings given to them in the CCPA.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data. For Quebec Privacy Law purposes, this role generally corresponds to the enterprise that determines the purposes for which Personal Information is collected, used, or communicated.

"Controller Personal Data" means Personal Data that each party Processes as a Controller in connection with the enrichment products or the Apturio Tracking Code, and each party is considered a Controller under Data Protection Laws.

"Customer Personal Data" means Personal Data contained within Customer Data that Apturio Processes as a Processor on behalf of Customer.

"Customer Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services. Customer Personal Data Breach includes a Confidentiality Incident involving Customer Personal Data where applicable under Quebec Privacy Law. Customer Personal Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

"Data Privacy Framework" means the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded, or replaced.

"Data Privacy Framework Principles" means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded, or replaced.

"Data Protection Laws" means all applicable worldwide legislation relating to data protection and privacy which applies to the Processing of Personal Data under the Agreement, including without limitation European Data Protection Laws, the CCPA, PIPEDA, Quebec Privacy Law, other applicable Canadian federal or provincial privacy laws, other applicable U.S. federal and state privacy laws, and the data protection and privacy laws of Australia, Singapore, India, and Japan, in each case as amended, repealed, consolidated, or replaced from time to time.

"Data Subject" means the individual to whom Personal Data relates. For Quebec Privacy Law purposes, this includes a person concerned by Personal Information.

"Europe" means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

"European Data" means Customer Personal Data that is subject to the protection of European Data Protection Laws.

"European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Federal Data Protection Act and its Ordinance ("Swiss DPA"); in each case, as may be amended, superseded, or replaced.

"Instructions" means the written, documented instructions issued by Customer to Apturio, and directing Apturio to perform a specific or general action with regard to Customer Personal Data, including depersonalizing, anonymizing where legally applicable, blocking, deleting, returning, making available, or otherwise Processing Customer Personal Data.

"Permitted Affiliates" means any of your Affiliates that (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a "Customer" as defined under the Agreement, (ii) qualify as a Controller of Customer Personal Data or Controller Personal Data, and (iii) are subject to Data Protection Laws.

"Personal Data" means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws.

"Personal Information" has the meaning given to it under Quebec Privacy Law and, for purposes of this DPA, is included in the definition of Personal Data.

"Privacy Impact Assessment" or "PIA" means an assessment required under applicable Data Protection Laws to evaluate privacy risks and the measures needed to protect Personal Data, including an assessment required under Quebec Privacy Law before communicating Personal Information outside Quebec.

"Processing" means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, destruction, anonymization, or de-indexation. The terms "Process," "Processes," and "Processed" will be construed accordingly.

"Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

"Quebec Privacy Law" means the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, the Act to modernize legislative provisions as regards the protection of personal information, S.Q. 2021, c. 25, and related regulations, guidance, and successor legislation applicable to Personal Information in Quebec.

"Restricted Transfer" means transfer of Personal Data originating from Europe to a country that does not provide an adequate level of protection within the meaning of applicable European Data Protection Laws.

"Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission's Decision (EU) 2021/914 of 4 June 2021 currently found at https://eur-lex.europa.eu/eli/dec_impl/2021/914, as may be amended, superseded, or replaced.

"Sub-Processor" means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the Processing of Customer Personal Data under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any Apturio employee or consultant.

"UK Addendum" means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 currently found at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

2. CUSTOMER RESPONSIBILITIES

2.1 Compliance with Laws. Within the scope of the Agreement and your use of the services, you will be responsible for complying with all requirements that apply to you under Data Protection Laws with respect to your Processing of Personal Data.

In particular but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Customer Personal Data and the means by which you acquired such data; (ii) complying with all necessary transparency and lawfulness requirements under Data Protection Laws for the collection and use of Customer Personal Data, including providing adequate notices, obtaining any necessary consents and authorizations, and honoring opt-out preferences, particularly for use by Customer for marketing purposes; (iii) ensuring you have the right to transfer, communicate, or provide access to the Customer Personal Data to us for Processing in accordance with the terms of the Agreement, including this DPA; (iv) complying with all laws applicable to any emails, SMS, WhatsApp messages, calls, artificial intelligence outputs, automated workflows, or other content created, sent, or managed through the Subscription Services; and (v) ensuring that your use of Controller Personal Data complies with Data Protection Laws and is strictly limited to the purposes set out in the Agreement, including this DPA. You will inform us without undue delay if you are not able to comply with your responsibilities under this section or Data Protection Laws.

2.1.1 Quebec Customer Responsibilities. If Quebec Privacy Law applies, Customer is responsible for: (i) designating and publishing contact information for the person in charge of the protection of personal information where required; (ii) providing required notices at or before collection of Personal Information; (iii) obtaining valid consent where required, including express consent where required by law; (iv) informing individuals where required about identification, location, profiling, tracking, or automated decision-making technologies used by Customer; (v) maintaining privacy policies and governance practices required by law; (vi) completing any required PIA before communicating Personal Information outside Quebec or before implementing projects that require a PIA; (vii) responding to access, rectification, withdrawal of consent, portability, de-indexation, and automated decision-related requests; and (viii) maintaining records and evidence necessary to demonstrate compliance.

2.2 Customer Instructions. You are responsible for ensuring that your Instructions to us regarding the Processing of Customer Personal Data comply with applicable laws, including Data Protection Laws. The parties agree that the Agreement, including this DPA, together with your use of the Subscription Service in accordance with the Agreement, constitute your complete Instructions to us in relation to Apturio's Processing of Customer Personal Data, so long as you may provide additional instructions during the Subscription Term that are consistent with the Agreement and the nature and lawful use of the Subscription Service.

2.3 Security. You are responsible for independently determining whether the data security provided for in the Subscription Service adequately meets your obligations under Data Protection Laws. You are also responsible for your secure use of the Subscription Service, including protecting the security of Personal Data in transit to and from the Subscription Service, securely configuring integrations and user permissions, maintaining appropriate authentication controls, and securely backing up or encrypting data where appropriate.

2.4 Sensitive Personal Information and Regulated Data. Unless expressly permitted in the Agreement or an applicable Order, Customer will not submit to the Subscription Services any Personal Data that is subject to heightened regulatory obligations not supported by the Subscription Services, including protected health information subject to HIPAA, payment card data subject to PCI DSS, biometric information requiring prior regulatory notice, information about minors where parental consent is required, or other sensitive Personal Information requiring express consent, unless Customer has ensured that the Subscription Services are configured and contracted to support such Processing and Customer has obtained all legally required consents and authorizations.

3. APTURIO OBLIGATIONS AS PROCESSOR

3.1 Compliance with Instructions. We will only Process Customer Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us.

3.2 Conflict of Laws. If we become aware that we cannot Process Customer Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing, other than merely storing and maintaining the security of the affected Customer Personal Data, until such time as you issue new Instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Subscription Services until such time as you issue new lawful Instructions with regard to the Processing.

3.3 Security. We will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from Customer Personal Data Breaches, as described under Annex 2 to this DPA ("Security Measures"). Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

3.4 Confidentiality. We will ensure that any personnel whom we authorize to Process Customer Personal Data on our behalf is subject to appropriate confidentiality obligations, whether a contractual or statutory duty, with respect to that Customer Personal Data.

3.5 Customer Personal Data Breaches and Confidentiality Incidents. We will notify you without undue delay, but no later than seventy-two (72) hours, after we become aware of any Customer Personal Data Breach. Where Quebec Privacy Law applies, we will also provide reasonable information available to us to assist Customer in assessing whether the incident presents a risk of serious injury and whether notice to the CAI or affected individuals is required. We will provide timely information relating to the Customer Personal Data Breach as it becomes known or reasonably requested by you, including, where available and applicable: (i) the nature of the incident; (ii) the categories and approximate number of affected individuals; (iii) the categories and approximate volume of affected Customer Personal Data; (iv) likely consequences; (v) measures taken or proposed to mitigate adverse effects; and (vi) relevant contact information for follow-up.

At your request, we will promptly provide reasonable assistance necessary to enable you to notify relevant Customer Personal Data Breaches or Confidentiality Incidents to competent authorities and/or affected Data Subjects if you are required to do so under Data Protection Laws. We will maintain reasonable internal records of Customer Personal Data Breaches involving Customer Personal Data and provide information reasonably required for Customer's own incident register, to the extent required by applicable law and available to us.

3.6 Deletion or Return of Customer Personal Data. We will delete or return all Customer Data, including Customer Personal Data and copies thereof, Processed pursuant to this DPA, on termination or expiration of your Subscription Service in accordance with the procedures set out in our Product Specific Terms. This term will apply except where we are required by applicable law to retain some or all of the Customer Data, or where we have archived Customer Data on back-up systems, which data we will securely isolate and protect from any further Processing and delete in accordance with our deletion practices.

If you need help retrieving your Customer Data during the Subscription Term, we will provide reasonable assistance to you, at your cost, and in accordance with the Confidentiality section of the General Terms. We will notify you in advance of any applicable costs which will be commercially reasonable.

3.7 Assistance with Quebec Privacy Law Obligations. Where Quebec Privacy Law applies and Customer cannot reasonably fulfill its obligations through the Subscription Services, Apturio will provide reasonable assistance, taking into account the nature of Processing and information available to Apturio, with: (i) Data Subject requests; (ii) Confidentiality Incident assessment and notification; (iii) PIAs related to Apturio's Processing of Customer Personal Data, including cross-border transfers; (iv) information reasonably required to document Apturio's use of Sub-Processors; and (v) information reasonably required to demonstrate security safeguards. Apturio may charge commercially reasonable fees for assistance that is not included in the Subscription Services, unless such assistance is required because of Apturio's breach of this DPA.

3.8 AI and Automated Processing. To the extent Apturio provides AI, automation, enrichment, lead scoring, recommendation, or workflow functionality as part of the Subscription Services, Apturio will Process Customer Personal Data through such functionality only as configured by Customer or as otherwise described in the Agreement. Unless expressly stated in an Order, Apturio does not make legally binding decisions about Customer's Data Subjects on Customer's behalf. Customer is responsible for determining whether its use of such functionality constitutes a decision based exclusively on automated Processing under applicable law and for providing any legally required notices, explanations, human review, or contestation mechanisms.

4. DATA SUBJECT REQUESTS

The Subscription Service provides you with a number of controls that you can use to retrieve, correct, delete, restrict, export, or otherwise manage Customer Personal Data, which you can use to assist you in connection with your obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under Data Protection Laws ("Data Subject Requests").

To the extent that you are unable to independently address a Data Subject Request through the Subscription Service, then upon your written request we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Personal Data under the Agreement. You will reimburse us for the commercially reasonable costs arising from this assistance, and we will notify you of these costs in advance.

If a Data Subject Request or other communication regarding the Processing of Customer Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you, unless applicable law requires us to respond directly. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Customer Personal Data.

For Quebec Data Subjects, such requests may include, where applicable, access, rectification, withdrawal of consent, portability, de-indexation, information about automated decisions, and other rights provided under Quebec Privacy Law. Apturio will reasonably assist Customer with such requests as described above.

5. SUB-PROCESSORS

You agree we may engage Sub-Processors to Process Customer Personal Data on your behalf, and we do so in three ways. First, we may engage Sub-Processors to assist us with hosting and infrastructure. Second, we may engage with Sub-Processors to support product features and integrations. Third, we may engage with Apturio Affiliates as Sub-Processors for service and support. Some Sub-Processors will apply to you as default, and some Sub-Processors will apply only if you opt in or enable a feature, integration, channel, or add-on.

5.1 Sub-Processor Obligations. We will enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective in substance than those imposed on Apturio under this DPA, to the extent applicable to the nature of the services provided by such Sub-Processor. We remain responsible for the performance of our Sub-Processors' obligations with respect to Customer Personal Data.

5.2 Sub-Processor Notice and Objection. We will maintain a list of Sub-Processors at a publicly available location or provide it upon request. We will provide notice of new Sub-Processors by posting an update, email, in-app notice, or other reasonable method. Customer may object to a new Sub-Processor on reasonable data protection grounds within thirty (30) days after notice. If Customer objects, the parties will work in good faith to resolve the objection. If no commercially reasonable resolution is available, Customer may terminate the affected Subscription Service in accordance with the Agreement.

5.3 Sub-Processor Information for PIAs. Where Quebec Privacy Law applies, Apturio will provide reasonably available information about applicable Sub-Processors, Processing locations, categories of Processing, and safeguards as reasonably necessary for Customer to conduct a PIA relating to communication of Personal Information outside Quebec.

6. DATA TRANSFERS

You acknowledge and agree that we may access and Process Customer Personal Data on a global basis as necessary to provide the Subscription Service in accordance with the Agreement, and in particular that Customer Personal Data may be transferred to and Processed by Apturio Solutions Inc., Apturio Affiliates, service providers, and Sub-Processors in Canada, the United States, and other jurisdictions where Apturio Affiliates and Sub-Processors have operations. Wherever Customer Personal Data is transferred outside its country or province of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

6.1 Quebec Cross-Border Communications. Where Quebec Privacy Law applies and Customer Personal Data is communicated outside Quebec, Customer is responsible for conducting any PIA required by Quebec Privacy Law before such communication. Apturio will provide reasonable assistance and information available to Apturio to support Customer's assessment, including information about Processing locations, categories of Sub-Processors, contractual safeguards, security measures, and retention/deletion practices. Apturio will not knowingly Process Customer Personal Data outside Quebec in a manner materially inconsistent with this DPA without providing Customer with reasonable notice where required by applicable law.

6.2 Transfer Safeguards. Cross-border transfers may be protected by contractual, organizational, and technical safeguards, including written processing terms with Sub-Processors, access controls, encryption where appropriate, confidentiality obligations, incident response procedures, and audit or assurance materials where available.

7. DEMONSTRATION OF COMPLIANCE

We will make all information reasonably necessary to demonstrate compliance with this DPA available to you and allow for and contribute to audits, including inspections conducted by you or your auditor in order to assess compliance with this DPA, where required by applicable law. You acknowledge and agree that you will exercise your audit rights under this DPA by instructing us to comply with the audit measures described in this section.

Upon request, and subject to confidentiality obligations, we will provide reasonably available security and compliance information, which may include summaries of security measures, third-party audit reports, security questionnaires, penetration testing summaries, or certifications where such materials are available and applicable to the Subscription Services. To avoid making unsupported public claims, any reference to SOC 2, ISO 27001, or similar certifications applies only to the extent such reports or certifications are then-current and actually available for Apturio or the applicable hosting Sub-Processor.

7.1 Audit Conditions. Any audit must: (i) be limited to information relevant to Apturio's Processing of Customer Personal Data; (ii) be conducted during normal business hours with reasonable prior notice; (iii) avoid unreasonable disruption to Apturio's business; (iv) protect the confidentiality, security, and privacy of other customers and systems; and (v) be subject to reasonable confidentiality and security requirements. Customer will be responsible for its audit costs unless the audit reveals a material breach of this DPA by Apturio.

8. QUEBEC PRIVACY LAW ADDENDUM

8.1 Scope. This section applies where Quebec Privacy Law applies to the Processing of Customer Personal Data or Controller Personal Data.

8.2 Privacy Officer. Each party is responsible for designating its own person in charge of the protection of personal information where required by Quebec Privacy Law. Apturio's privacy contact for matters relating to this DPA is: [email protected], unless another contact is published in Apturio's Privacy Policy or legal notices.

8.3 Transparency and Consent. Customer is responsible for providing privacy notices and obtaining legally required consents for Customer's collection, use, communication, and retention of Personal Information through the Subscription Services. Apturio will not use Customer Personal Data for purposes incompatible with this DPA unless permitted by Customer's Instructions, the Agreement, or applicable law.

8.4 Privacy by Default and Configuration. Where the Subscription Services include privacy-related settings, permissions, consent tools, tracking tools, or AI/automation features, Customer is responsible for configuring them appropriately for Customer's legal obligations, business context, and Data Subjects. Apturio will provide reasonable documentation or support information for available controls.

8.5 Automated Decisions. Where Customer uses the Subscription Services to render a decision based exclusively on automated Processing of Personal Information, Customer is responsible for informing the person concerned not later than the time the decision is communicated and, upon request, providing information required by Quebec Privacy Law, including the Personal Information used, reasons and principal factors or parameters that led to the decision, and the right to have the Personal Information corrected. Apturio will provide reasonable assistance where the necessary information is available to Apturio and relates to Apturio's Processing.

8.6 Tracking, Profiling, and Identification Technologies. Customer is responsible for providing legally required notices and activation information where Customer uses the Apturio Tracking Code, cookies, pixels, tags, analytics, enrichment, profiling, location, identification, or similar technologies on Customer Websites or digital properties.

8.7 Confidentiality Incident Register. Customer is responsible for maintaining its own register of Confidentiality Incidents where required by Quebec Privacy Law. Apturio will provide reasonable information available to Apturio about Confidentiality Incidents involving Customer Personal Data to support Customer's register and related notification obligations.

8.8 Retention and Destruction. Customer is responsible for determining lawful retention periods for Customer Personal Data. Apturio will retain, delete, return, or anonymize Customer Personal Data in accordance with the Agreement, this DPA, Customer's configuration, and applicable law. Where anonymization is used to satisfy a legal obligation, the parties will use a legally appropriate standard of anonymization under applicable law.

8.9 De-Indexation and Portability. Where Quebec Privacy Law grants rights to de-indexation or portability, Customer is responsible for responding to such requests. Apturio will provide reasonable assistance where Customer cannot fulfill the request through available Subscription Service controls and where the relevant Customer Personal Data is Processed by Apturio.

9. CANADIAN PRIVACY TERMS

9.1 PIPEDA and Provincial Laws. Where Canadian federal or provincial privacy laws apply, each party will comply with its obligations under such laws. Without limiting the foregoing, Customer is responsible for accountability, openness, consent, limiting collection, limiting use, disclosure, retention, accuracy, safeguards, individual access, and complaint handling obligations that apply to Customer as the organization controlling the Personal Data.

9.2 Service Provider Processing. Apturio will Process Customer Personal Data as a service provider to Customer and will not sell Customer Personal Data. Apturio will not use Customer Personal Data for independent marketing or unrelated commercial purposes except as permitted by the Agreement, this DPA, Customer's Instructions, or applicable law.

10. CONTROLLER-TO-CONTROLLER TERMS

10.1 Scope. This Controller-to-Controller Terms section will apply to the extent that the parties Process Controller Personal Data in connection with Customer's uses of our enrichment products and the Apturio Tracking Code when Intent data sharing is enabled.

10.2 Role of Parties. The parties acknowledge and agree that they act as Controllers of Controller Personal Data and will comply with their respective obligations under Data Protection Laws when Processing Controller Personal Data. For clarity, nothing in the Agreement or this Controller-to-Controller Terms section shall restrict Apturio in any way from collecting, using, or sharing data that Apturio would otherwise Process independently of Customer's use of the Subscription Services, including our enrichment products, provided that such Processing complies with applicable Data Protection Laws.

10.3 Compliance with Laws. Each party will ensure that the Controller Personal Data it shares or makes available to the other party has been collected in compliance with Data Protection Laws, including (i) providing adequate notices and obtaining any required consents from Data Subjects; (ii) establishing a lawful basis for its Processing of Controller Personal Data; (iii) implementing appropriate technical and organizational measures to protect Controller Personal Data; and (iv) complying with any reporting obligations concerning personal data breaches or Confidentiality Incidents involving Controller Personal Data. As between the parties, Customer is responsible for providing all necessary notices, consents, and opt-out mechanisms for the use of the Apturio Tracking Code, and ensuring that its website discloses the use of third-party tracking technology in compliance with Data Protection Laws. If a Data Subject contacts either party to exercise their rights under Data Protection Laws, the contacted party shall either fulfill the request directly or, if this is not feasible, promptly notify and coordinate with the other party to ensure the request is fulfilled in accordance with Data Protection Laws. Customer agrees to delete Enrichment Outputs as defined under Apturio's Product Specific Terms if Customer determines that Customer does not have any independent lawful basis or substantively similar basis for Processing such data under Data Protection Laws.

10.4 Demonstration of Compliance. If either party receives any complaint, notice, or communication from a supervisory authority or other governmental authority which relates to the other party's: (i) Processing of Controller Personal Data; or (ii) potential failure to comply with Data Protection Laws with respect to the Processing of Controller Personal Data, that party shall direct the supervisory authority or governmental authority to the other party and, in the case of intertwined obligations, claims, or Controller Personal Data at issue, shall provide reasonable assistance to the other party in responding to the supervisory authority or governmental authority.

10.5 Security. We will implement and maintain reasonable security measures to protect Controller Personal Data. All Controller Personal Data is protected using appropriate physical, technical, and organizational measures. For more on security at Apturio, please see https://trust.apturio.com, if available, or the security documentation made available by Apturio.

10.6 CCPA Compliance. To the extent that the CCPA applies to the Processing of Controller Personal Data, each party acknowledges and agrees that: (i) such Controller Personal Data is made available to the other party solely for the limited and specified purposes set forth in the Agreement; (ii) the party receiving such Controller Personal Data shall comply with and provide the same level of privacy protection as is required by the CCPA; (iii) the party receiving such Controller Personal Data shall promptly notify the other party if it determines it can no longer meet its obligations under the CCPA; and (iv) the party providing such Controller Personal Data shall have the right, upon reasonable notice, to take reasonable and appropriate steps to ensure that the receiving party uses the Controller Personal Data in a manner consistent with its obligations under the CCPA and stop and remediate unauthorized uses of the Controller Personal Data.

11. TRANSFER MECHANISMS

Where the transfer of Customer Personal Data or Controller Personal Data between the parties involves a Restricted Transfer and European Data Protection Laws require putting in place appropriate safeguards, Apturio and Customer will comply with the following:

11.1 Data Privacy Framework. To the extent Apturio maintains an active and applicable Data Privacy Framework certification, Apturio will comply with the Data Privacy Framework Principles for Personal Data covered by such certification. If Apturio is not actively certified or the Data Privacy Framework does not apply to the Restricted Transfer, the applicable Standard Contractual Clauses or another lawful transfer mechanism will apply where required.

11.2 Standard Contractual Clauses. The Standard Contractual Clauses will be incorporated by reference and apply to the Restricted Transfer as follows:

(A) In relation to Customer Personal Data: (i) the Module Two terms apply to the extent Customer is a Controller and the Module Three terms apply to the extent Customer is a Processor of Customer Personal Data; (ii) in Clause 7, the optional docking clause applies; (iii) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the Sub-Processors section of this DPA; (iv) in Clause 11, the optional language is deleted; (v) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes will be determined in accordance with the Jurisdiction Specific Terms of the Agreement or, if such section does not specify an EU Member State, the Republic of Ireland without reference to conflicts of law principles; (vi) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (vii) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR.

(B) In relation to Controller Personal Data: (i) the Module One terms apply; (ii) in Clause 7, the optional docking clause applies; (iii) in Clause 11, the optional language is deleted; (iv) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes will be determined in accordance with the Jurisdiction Specific Terms of the Agreement or, if such section does not specify an EU Member State, the Republic of Ireland without reference to conflicts of law principles; (v) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and (vi) the supervisory authority that will act as competent supervisory authority will be the Irish Data Protection Commission.

(C) In relation to Customer Personal Data and Controller Personal Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (A) and the following modifications: (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting "neither party"; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

(D) In relation to Customer Personal Data and Controller Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (A) and the following modifications: (i) references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA; (ii) references to "EU," "Union," and "Member State law" will be interpreted as references to Swiss law; and (iii) references to the "competent supervisory authority" and "competent courts" will be replaced with the "Swiss Federal Data Protection and Information Commissioner" and the relevant courts in Switzerland.

(E) In relation to Customer Personal Data that Apturio Processes as a Processor, you agree that by complying with our obligations under the Sub-Processors section of this DPA, Apturio fulfills its obligations under Section 9 of the Standard Contractual Clauses. For the purposes of Clause 9(c) of the Standard Contractual Clauses, you acknowledge that we may be restricted from disclosing Sub-Processor agreements but we will use reasonable efforts to require any Sub-Processor we appoint to permit it to disclose the Sub-Processor agreement to you and will provide on a confidential basis all information we reasonably can. You also acknowledge and agree that you will exercise your audit rights under Clause 8.9 of the Standard Contractual Clauses by instructing us to comply with the measures described in the Demonstration of Compliance section of this DPA.

(F) If and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict. Where the Apturio contracting entity under the Agreement is not Apturio Solutions Inc., such contracting entity will remain responsible and liable to you for the performance of the Standard Contractual Clauses by Apturio Solutions Inc. or the applicable Apturio entity involved in the Processing, and you will direct any instructions, claims or enquiries in relation to the Standard Contractual Clauses to such contracting entity. If Apturio cannot comply with its obligations under the Standard Contractual Clauses for any reason, and you intend to suspend or terminate the transfer of Personal Data to Apturio, you agree to provide us with reasonable notice to enable us to cure such non-compliance and reasonably cooperate with us to identify what additional safeguards, if any, may be implemented to remedy such noncompliance. If we have not or cannot cure the non-compliance, you may suspend or terminate the affected part of the Subscription Service in accordance with the Agreement without liability to either party, but without prejudice to any fees you have incurred prior to such suspension or termination.

11.3 Alternative Transfer Mechanism. In the event that Apturio is required to adopt an alternative transfer mechanism under European Data Protection Laws, in addition to or other than the mechanisms described above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA, but only to the extent such alternative transfer mechanism complies with European Data Protection Laws, and you agree to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

12. GENERAL PROVISIONS

12.1 Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the Compliance with Instructions or Security sections of this DPA, we reserve the right to make any updates and changes to this DPA and the terms that apply in the Amendment; No Waiver section of the General Terms will apply.

12.2 Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

12.3 Limitation of Liability. Each party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA, including any other data processing agreements between the parties, and the Standard Contractual Clauses, where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Limitation of Liability section of the General Terms and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement, including this DPA. In no event will either party's liability be limited with respect to any individual's data protection rights where such limitation is prohibited by applicable Data Protection Laws.

12.4 Governing Law. This DPA will be governed by and construed in accordance with the Contracting Entity, Applicable Law, and Notice sections of the Jurisdiction Specific Terms, unless required otherwise by Data Protection Laws. For Quebec Customers and Quebec Personal Information, this DPA will not limit any mandatory rights or obligations under Quebec Privacy Law.

12.5 Order of Precedence. The following order of precedence applies with respect to Processing of Personal Data: (i) mandatory Data Protection Laws; (ii) Standard Contractual Clauses or other required transfer mechanism, where applicable; (iii) this DPA; (iv) the Agreement; and (v) any other referenced policies, unless the applicable document expressly states otherwise and is legally permitted to control.

13. PARTIES TO THIS DPA

13.1 Permitted Affiliates. By signing the Agreement, you enter into this DPA, including, where applicable, the Standard Contractual Clauses, on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms "Customer," "you," and "your" will include you and such Permitted Affiliates.

13.2 Authorization. The legal entity agreeing to this DPA as Customer represents that it is authorized to agree to and enter into this DPA for and on behalf of itself and, as applicable, each of its Permitted Affiliates.

13.3 Remedies. The parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.

13.4 Other Rights. The parties agree that you will, when reviewing our compliance with this DPA pursuant to the Demonstration of Compliance section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.

ANNEX 1 - DETAILS OF PROCESSING

A. Subject Matter

Apturio's Processing of Customer Personal Data in connection with the provision, support, maintenance, improvement, security, and administration of the Subscription Services and Consulting Services under the Agreement.

B. Duration

For the Subscription Term and any post-termination period during which Apturio Processes Customer Personal Data in accordance with the Agreement, this DPA, backup retention, legal obligations, or deletion procedures.

C. Nature and Purpose of Processing

Providing CRM, automation, communication, AI, support, analytics, integration, hosted environment, implementation, and related services; user authentication and authorization; customer support; security monitoring; troubleshooting; billing support; service improvement where permitted; compliance with legal obligations; and other Processing described in the Agreement or Customer's Instructions.

D. Categories of Data Subjects

Customer's employees, representatives, Users, prospects, leads, customers, patients or clients where applicable, contacts, website visitors, communication recipients, support requesters, and other individuals whose Personal Data is submitted to or collected through the Subscription Services by or on behalf of Customer.

E. Categories of Personal Data

Names, email addresses, phone numbers, mailing addresses, company information, job titles, CRM records, lead records, opportunity records, communication content and metadata, appointment information, form submissions, website interaction data, IP addresses, device and browser identifiers, authentication data, support ticket data, billing contact information, marketing preferences, consent records, workflow and automation activity, AI prompt and output data where enabled, and any other Personal Data submitted to the Subscription Services by or on behalf of Customer.

F. Sensitive Data

The Subscription Services are not intended for sensitive Personal Data unless expressly supported by the applicable Order, Product Specific Terms, or configuration. Customer is responsible for ensuring that sensitive Personal Data is submitted only where lawful and appropriately configured.

G. Frequency of Transfer

Continuous or as determined by Customer's use of the Subscription Services.

H. Processing Locations

Canada, United States, and other jurisdictions where Apturio, its Affiliates, or Sub-Processors operate, as described in this DPA or the Sub-Processor list.

ANNEX 2 - TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Apturio will maintain appropriate technical and organizational measures designed to protect Customer Personal Data, taking into account the nature, scope, context, and purposes of Processing, as well as the risk to individuals. Measures may include, as applicable:

1. Access Control

Role-based access controls, least-privilege access, unique user accounts, authentication controls, administrative access restrictions, and periodic access review practices.

2. Transmission and Storage Security

Encryption in transit where supported, encryption at rest where supported by hosting infrastructure or service providers, secure communication protocols, and reasonable key management practices.

3. System Security

Patch management, vulnerability monitoring, malware protection where applicable, secure configuration practices, environment separation where appropriate, and security logging.

4. Availability and Resilience

Backup, disaster recovery, redundancy, monitoring, and incident response practices appropriate to the Subscription Services.

5. Personnel Security

Confidentiality obligations, access limitations, onboarding and offboarding procedures, and privacy/security awareness appropriate to personnel roles.

6. Incident Response

Procedures for identifying, investigating, escalating, mitigating, documenting, and notifying Customer of Customer Personal Data Breaches as required by this DPA.

7. Sub-Processor Management

Contractual confidentiality and data protection obligations for Sub-Processors, reasonable diligence, and Sub-Processor notice practices.

8. Data Minimization and Retention

Controls or procedures designed to limit access and retention to what is reasonably necessary for the Subscription Services and legal obligations.

9. Customer Configuration

The Subscription Services may include configurable controls. Customer is responsible for using available controls to meet its compliance requirements, including permissions, user access, consent tracking, retention settings, workflow rules, and integration security.

ANNEX 3 - SUB-PROCESSOR INFORMATION

Apturio will maintain a Sub-Processor list or provide Sub-Processor information upon request. The list should identify, where reasonably available: Sub-Processor name, purpose, processing location or region, applicable feature or service, and whether the Sub-Processor is default or optional.

At minimum, Apturio should classify Sub-Processors by category:

1. Hosting and Infrastructure Providers

Cloud hosting, databases, storage, networking, monitoring, logging, backup, and security providers.

2. Communications Providers

Email, SMS, WhatsApp, telephony, chat, conversation, notification, and messaging providers.

3. Payment and Billing Providers

Payment processors, invoicing, tax, and subscription management providers.

4. Analytics and Product Operations Providers

Usage analytics, support analytics, error tracking, product monitoring, and performance providers.

5. AI and Automation Providers

AI model providers, automation engines, enrichment providers, transcription, translation, and workflow providers where enabled.

6. Support and Professional Services Providers

Ticketing, customer support, implementation, onboarding, training, and consulting providers.

ANNEX 4 - QUEBEC PIA SUPPORT INFORMATION

For Customer PIAs required under Quebec Privacy Law, Apturio will reasonably provide available information regarding:

1. The sensitivity of Customer Personal Data Processed by Apturio;

2. The purposes for which Apturio Processes Customer Personal Data;

3. The jurisdictions where Customer Personal Data may be Processed;

4. Categories of Sub-Processors involved in Processing;

5. Contractual safeguards used with Sub-Processors;

6. Technical and organizational security measures;

7. Retention, return, and deletion practices;

8. Incident response and notification practices;

9. Whether AI, tracking, profiling, or automated Processing features are enabled by Customer; and

10. Any material limitations or exclusions relevant to Customer's assessment.

Customer remains responsible for determining whether the transfer or communication of Personal Information outside Quebec is permissible under Quebec Privacy Law after completing the required assessment.